Code, Compliance, & Consequences: What’s Regulated & What Isn’t

Hello, good afternoon, everyone. My name is Sasha Hodder. I'm founder and principal attorney with Hodder Law Firm, and today's panel is about code, compliance, and consequences. We're going to be speaking with two of the industry's top lawyers. They've been dealing on the ground with the Free Samourai case and the Roman Sterlingov case. Tor and Zack Shapiro, I'll let you introduce yourselves.

​

Hi, I'm Tor Ekeland. I represent a lot of people accused by the federal government of computer crime. As Sasha said, I represent Roman Sterlingov, who is currently litigating his appeal for his conviction for running the Bitcoin Fog mixer.

​

I'm Zack Shapiro, head of policy at the Bitcoin Policy Institute. We do Bitcoin policy in D.C. Part of my role there is that I'm also executive director of the Peer-to-Peer Rights Foundation, which is a nonprofit litigation fund to protect developers who build noncustodial tools from the type of prosecution we're going to talk about today. I also run a law practice called Rains LLP, where I work with a lot of people building this technology and help them navigate questions of where the line is between money transmission and not.

​

Very good. As the first thing, can you each introduce the cases you've been working on and give the audience a little background on what's going on with Roman Sterlingov and what's going on in the Samourai case?

​

The Samourai case, I'm not defense counsel in that case. They have had excellent defense lawyers. That case, unfortunately, is done. It ended in guilty pleas for both defendants to unlicensed money transmission, in return for the government dropping the money laundering charges, which would have carried harsher penalties.

​

This was, to my mind, a clear example of the government exerting pressure to plead to something that doesn't make a ton of sense. The defendants in the Samourai Wallet case weren't transmitting anyone's money. Their users were transmitting their own money through a noncustodial tool called a coinjoin. In most cases, it was people using Samourai's Whirlpool coinjoin to send their own money to themselves, just using software that was available.

​

In exchange for not carrying the threat of 20 years in prison over the heads of these developers, they had to allocute to knowingly transmitting criminal funds, which is a deeply unjust result. We're hoping the Trump administration might see fit to pardon those defendants.

​

As I said, I represent Roman Sterlingov. Roman is a dual Swedish-Russian national citizen who has been living in Sweden since he was 14. He got into Bitcoin in about 2010, and as probably everybody in this room knows, in 2010 you could get a Bitcoin for about $3.22.

​

I'm convinced he's completely innocent of what he was convicted of. He was convicted of running a custodial mixer called Bitcoin Fog, which started in October 2011. He's in Sweden the entire time. He gets off an airplane at LAX in 2021, and all of a sudden he is arrested by the FBI. He's told he's being arrested for money laundering through Bitcoin Fog and unlicensed money transmission, the same thing they got the Samourai Wallet guys on.

​

When they arrest him, he's carrying three laptops, 10 years' worth of diaries, thumb drives, because he's a digital nomad. Not a single piece of evidence on any of his devices ever shows him operating Bitcoin Fog. There were no eyewitnesses at trial saying they saw him operate Bitcoin Fog. The entire case was circumstantial. It was after-the-fact government investigators testifying about their use of new proprietary software you may be familiar with, Chainalysis Reactor.

​

Nonetheless, the jury found him guilty, even though there was no real evidence of him ever operating Bitcoin Fog. This is something that should worry anybody, anywhere in the world. There was no evidence that he ever did anything in the United States, yet they put him on trial in Washington, D.C. Right now, he's doing a 12-and-a-half-year sentence. He's done about five years.

​

I've never had a case where I've been so convinced that my client is innocent. I have represented probably some of the best hackers in the English-speaking world at this point, and I've been doing this for about 15 years. I've never had a client where the government arrested him, got all of the client's devices, and there was no evidence on the devices of them doing anything. I just don't know anybody who's that good. Either he's some super genius who's better than anybody I've ever seen, in which case maybe they should release him for that, or the reality is I think he's completely innocent and got railroaded in this crazy war on crypto.

​

There is also the Roman Storm situation with Tornado Cash, which is very similar to these ones. It's noncustodial software, and in his case he is being charged with unlicensed money transmission. How are you transmitting money if you have no ability to stop the transaction midway? Maybe you can speak to where the line is between operating software, publishing software, and then being considered a money transmitter.

​

I guess it depends if you're asking me or asking the Southern District of New York, because you'll get different answers. Where I think the line is, if you read the criminal statutes implementing the Bank Secrecy Act, where all these laws come from, the line is: are you accepting and then transmitting funds on behalf of the public? If it sounds like between accepting and transmitting you need to have control or custody of the funds, I agree with you.

​

I think that's where the line is. When I talk to people building in the space, the question is: do you have custody, which is really about access to keys, or do you have control, which is the unilateral ability to send funds to whatever destination you choose? If you do, then you would be regulated as a money transmitter and money services business, and subject to the Bank Secrecy Act and KYC/AML obligations. If you don't, then you're just building software, and it's your users who are transmitting funds, not you.

​

What is so upsetting about the Samourai Wallet case and the Tornado Cash case is that you could have followed that line to a T. In fact, Roman Storm, Bill, and Keonne all got legal advice on this exact question, and the government is prosecuting them anyway.

​

The Samourai Wallet case ended more quickly than we got a full view of the government's theory. In Tornado Cash, we got a better sense of how the government thinks about this. Their view is essentially that if you facilitate the movement of funds, you're a money transmitter. The deeply frightening thing about that is it doesn't have a limiting principle. Where does that stop with facilitation?

​

The mental model I have is: if you're the timber company that chops down the tree that makes the wood that makes the paper that makes the envelope that one criminal uses to hand cash to another criminal, do you need to KYC everyone who used your envelope? That doesn't make any sense.

​

In the government's brief in the Tornado Cash case, they said money transmission doesn't require custody or control because a frying pan transmits heat and a USB cable transmits data, and neither has custody of the thing it's allegedly transmitting. These are the real examples they used. But I think they're making their case too clear. Is a frying pan guilty of it? It does not make any sense.

​

The line, I think, is and should be this line of custody and control. That is the line in the Blockchain Regulatory Certainty Act provisions of the CLARITY Act, which is the crypto market structure bill making its way through Congress right now. We're really hoping it will pass before July of this year. That would hopefully prevent cases like Tornado Cash and Samourai Wallet from happening in the future. But there is what the Bank Secrecy Act seems to say, and then there is what a judge or prosecutor can interpret it as, and that is the gap we need to close.

​

We saw in the Samourai case that they were looking a lot at intent and tweets, and the same thing with Roman Storm. I think they referenced a T-shirt that he wore, and they put two text messages that he sent several months apart next to each other as if it was a congruent sentence.

​

That's a slightly separate question. Each of the defendants in those cases, in addition to unlicensed money transmission, was charged with substantive money laundering offenses, and that's really about intent. I don't think any of those defendants are truly guilty of money laundering. There was a hung jury for Roman Storm, and the government dropped the money laundering charges against Bill and Keonne.

​

But at least you can make sense of the government bringing those charges and what they mean. It's like, did you intend to help criminals? Yes, all of the evidence there was a stretch. In the Samourai Wallet case, it was joking tweets. In the Tornado Cash case, it was this T-shirt. But you have to prove specific intent.

​

What's so pernicious about the money transmission thing is it's not about intent. They're getting you on a technical compliance failure that you had no reason to know applied to you.

​

I want to make a comment on that intent thing, because we had something happen in our case that shows what the law should be versus what they did in our case with Roman and the money laundering charge. If you read the statute, it says you need specific intent. They introduced something called a willful blindness instruction, which is a totally judicially invented doctrine nowhere in the statute that Congress passed.

​

What it essentially says is: maybe you didn't know anything about it, because they really didn't have any evidence of him knowing about anything, but you should have known about it. That's really scary, because that's not a criminal mens rea standard. It's more like a negligence, civil standard, and you can convict anybody in this room on that standard.

​

I think this goes to one point here: there is no clear line because this is such a new area of law. It's undefined. It's a new technology. I see this in my other computer cases. When you have this sort of zone of law that's undefined, it allows prosecutors to run amok, and that's what they're doing in the Bitcoin space.

​

I fundamentally think all of these prosecutions are political prosecutions. I see it generally with DOJ. When the administration changes, the prosecutorial priorities change. But in these prosecutions, nobody has really done anything bad. There are no victims from Samourai or Tornado Cash. It's just people who have this mindset that we need to control the money, because if you control the money, you control the people. They're launching these political prosecutions that are devastating to people, devastating to innovation, and devastating to privacy.

​

We were all very hopeful with the administration change. Most of these cases started under the Biden administration, and Trump came in and said he was going to free Ross Ulbricht. It was hopeful all these cases would be dropped, and a lot of the SEC cases were dropped. But these seemingly more important cases, where people are in jail over these charges, haven't changed. We had the Blanche memo come out last spring that basically said they're not going to continue prosecuting this, and they are. Where do you think it's headed? Or why do you think these prosecutions have continued after that Blanche memo?

​

There's still time for the administration to do the right thing, and we're hopeful on that. The Blanche memo, and frankly what Todd Blanche said at this conference yesterday, is a really laudable viewpoint on how these cases should proceed. We should not bring more of these cases. We should not hold third-party developers responsible for what the users of their software do, unless they are specifically aiding them.

​

Reading the Blanche memo, I think the Tornado Cash and Samourai Wallet cases are plainly inconsistent with both the spirit and the letter of the memo. Again, the Southern District of New York seems to take a different view on that than mine.

​

This is going to become a much bigger problem with AI. At the highest level, the question is that Bitcoin and blockchain technology blur the line between regulated financial activity and software. That's a really important line because software is protected by the First Amendment. If you overreach criminal regulations over regulated financial services into the software space, that has a really chilling impact on freedom.

​

That line is about to be even more blurred when we have agentic commerce and people use whatever comes next, a few years from now, maybe a version of Claude that is way smarter than what we have now, and they say, go make money. Then Claude spawns another Claude that goes and does something on DeFi, and it's completely unforeseeable what the fourth Claude down the line is going to do based on your prompt to go make money.

​

How are we possibly going to handle this if we say that if you facilitate the movement of money, you're regulated as if you were a literal bank? I think it is incredibly important to get this line right. In spirit, the Blanche memo does that, and in spirit, a lot of what this administration says does that.

​

But one of the things Acting Attorney General Blanche said yesterday that I take issue with is that software developers shouldn't fear being held responsible for the acts of their users unless they are helping those users commit crimes or know that they're committing crimes. That line between helping and knowing is all the difference in the world. If you're Apple, you know people are using Macs to commit crimes. If you're Victorinox, you know people are stabbing each other with Swiss Army knives from time to time. We don't hold you criminally responsible for that. We hold you criminally responsible if you aid and abet the crime.

​

The government in both the Samourai Wallet and Tornado Cash cases couldn't make that out. In Tornado Cash, they couldn't convince a jury that Roman intended to help the North Koreans launder money. The government dropped that same charge in the Samourai Wallet case. So they use this lower knowledge standard that has absolutely no place in criminal law when we're talking about building software tools.

​

On the Blanche memo, I thought the memo was dead on. I read it and thought, this is great. Attorney General Blanche says in it that we're not going to make mixer operators responsible for the crimes of their end users unless they know about it. I thought, great, this is Roman Sterlingov's case. I sent a letter with the memo to the appellate lawyers at DOJ handling the case. I got crickets.

​

It's a really nice memo. It would be great if DOJ followed it. I can't tell right now if there's just so much chaos in DOJ. It's not this singular institution. The Southern District of New York is called the Sovereign District of New York. There are factions, there is pushback. I don't know what's going on, but if they followed the letter of that memo, all of the crypto prisoners would be free. I don't understand the dissonance there. Maybe they don't have control of DOJ, but if they do, they should follow the memo and set them all free.

​

Completely victimless crimes. In Keonne's letters from the inside, when I read that he is there cleaning toilets, it was just like one of our industry's brightest minds is stuck in there like that. It's just awful.

​

In Storm's case, they said criminal liability kicks in when the platform is used in large part by criminals. It's another thing like that knowing standard. They keep using standards that are very difficult to know. Where is the line? In large part used by criminals. Right now they're saying with the BTM industry, Bitcoin ATMs, that this is really being used in large part by criminals. But who's determining that number? It's the government coming in and saying there are so many scams, they've done analysis, and determined most transactions are scams. I think they came out at 91%. I don't know how they came up with that. In Tornado Cash, I think they came up with 15% of the transactions having some kind of criminal element to them. In Samourai, I think it was only 2% that they said were illicit transactions. What can we do with these moving target lines the government uses?

​

Substantially, that's just not what the law is. Privacy technology is not illegal. Unlicensed money transmission is illegal, but at least on the noncustodial side, there's no money transmission. We just need to follow the Blanche memo. That is the answer again and again to this.

​

I do think we should be somewhat circumspect. There is a lot of fraud and crime that happens, including using these tools. Especially with Bitcoin ATMs, we have a really bad problem with pig butchering scams that are horrible and victimize people in terrible ways. By the way, the people perpetrating these crimes live in horrible slavery-like conditions in Cambodia.

​

But what we should do is focus our law enforcement efforts on disrupting that, on helping the victims, rather than on the infrastructure itself. I would welcome some version of real, thoughtful consumer protection laws that say maybe we want a warning screen on a Bitcoin ATM: is someone pressuring you to do this? Are you withdrawing money for an opportunity that seems too good to be true? Do you know the person you're sending money to? Do you understand the risks involved? If that is what we were doing to stop people from falling victim to crime, great.

​

Focusing on the people who build the tools, aside from not being how the law works and being really bad for freedom, is just a really bad distraction from the legitimate functions of law enforcement in helping people who are scammed using cryptocurrencies.

​

I don't believe the government statistics, and I don't think just because the government says something is true that it's true. The primary software they use for these statistics is called Chainalysis Reactor. We were the first case, as far as I can tell, to challenge that software.

​

When I cross-examined their expert in something called a Daubert hearing, all I did was ask the questions that the leading Supreme Court case asks you to ask about any kind of expert forensic technology. I asked, can you tell me your software's error rate? They said no. Can you tell me the software's rate of false positives? No. Can you tell me its rate of false negatives? No. Have you done any internal error analysis on your software? No. Can you name one scientific, peer-reviewed paper attesting to the accuracy of your software? No.

​

Yet the judge still let it in, based on anecdotes of law enforcement. The first thing is, I'm not going to give any credit to their statistics, because this is a completely unregulated field without any standards, and they're just making shit up left and right. They're saying you need to believe it because we're the government.

​

The other point is they would never do this kind of stuff with banks. If you look at what banks do for basically the same kind of behavior, and you used that as your model for what's legal in Bitcoin or crypto, you'd be making a huge mistake. They're going after crypto people and throwing them in jail in a way that, when banks launder billions of dollars, they get a slap on the wrist. They get a deferred prosecution agreement. DOJ's primary core function, it seems, even in this administration by the way they're acting, is to defend the fiat money system. That's messed up, and that goes back to these things being essentially political prosecutions and arbitrary in the sense that they're just making them up.

​

There are no bank CEOs in jail right now for all the money laundering.

​

Where do you think the line should be? How should noncustodial Bitcoin be regulated, if at all? I'm of the opinion that FinCEN got it right in 2019 when they published guidance saying noncustodial is not regulated, but if you're holding funds, you are. I've always looked at it with the model of, if you can steal the funds from the customers, then sure, you should be regulated the same as a bank. At first, when we were learning about this industry, everyone was up in arms even that a custodial one would have to be regulated. But noncustodial seems pretty clear. FinCEN got it right originally, and now they've just pushed the line. If you were able to set the law, how would you do it?

​

I think that's a fine place to set the law. There are still obligations under OFAC sanctions rules not to do business with sanctioned parties. That seems relatively reasonable to me. It's really where the affirmative obligations under criminal penalties, like a bank, are just not feasible to comply with for most noncustodial tools.

​

I would pivot to a related topic. Bitcoin was not the first attempt at doing what Bitcoin did. The reason most of its predecessors failed is because there was a central intermediary of some sort that the government could exert pressure on, or arrest someone and stop it. Bitcoin is a truly decentralized, resistant ecosystem that could thrive on its own.

​

If we're going to get out of this, I'm increasingly pessimistic that it's going to be because of the grace of the regulators. We're going to have to build our way out of this in the same cypherpunk way and the same spirit that Satoshi built Bitcoin.

​

It's something I've believed for a while, and the hard part is that the user experience around noncustodial tools is difficult. Learning how to use a smart contract directly instead of doing it through a front end, like in the Tornado Cash case, is really difficult. Having something truly robust and anti-fragile is really difficult.

​

Recently, I've become very optimistic. This is another area where AI comes to the rescue, both in terms of the ability to build and proliferate software without having to raise venture capital. People can vibe-code tools to their hearts' content, a thousand flowers can bloom, and some are going to turn out to be really useful. Then, in terms of user experience, getting someone to use a noncustodial Lightning wallet without KYC instead of a custodial model with money transmitter licenses becomes easier. You don't need to learn how to balance the liquidity anymore. Claude can do that for you.

​

As people become more used to using AI agents as the gateway to their computers, I think there is a tremendous opportunity to build a ground-up, noncustodial ecosystem. Whatever the government wants to do, whatever this administration or the next administration wants to do, these are peer-to-peer tools run over decentralized networks like Nostr that just can't be stopped.

​

In the same way that Bitcoin was so self-evidently a peer-to-peer system that there was no one to throw in jail, and it didn't depend on Satoshi, I am optimistic that we have an opportunity now to do that writ large with all of the infrastructure we need to move this industry and this movement forward.

​

I would regulate the regulators, and I would regulate the forensic software they're using. In our case, Chainalysis Inc., which owns Chainalysis Reactor, the main proprietary closed-source software that we weren't allowed to see the code for, bought a company five months after Roman was arrested from the primary IRS criminal investigator in the case. They also hired one of the prosecutors during the pendency of the case. The message that sends to prosecutors is: if we do good for Chainalysis, Chainalysis is going to give me a nice cushy job after this.

​

Chainalysis, blockchain forensic software is completely unregulated. There are no standards. There is no peer review. There is absolutely nothing. When you hear all these statistics about money laundering, clustering, and all this stuff, they don't have reliable scientific evidence for that. Stop believing that, and the first step is reining in the regulators and regulating this forensic software that they're using to accuse everybody.

​

If they're going to make attributions, they really need to have the private keys to these addresses. In Roman's case, they were doing traces and attributing funds to him two dozen hops on the blockchain without a single private key.

​

Roman was in Miami in 2017. They put him under a wiretap. No evidence he was running Bitcoin Fog. He had a server in Romania for a VPN business. They put that under a wiretap. No evidence he was running Bitcoin Fog. They never bothered to search his apartment in Sweden after he was arrested to get his home computer, and that tells me they were worried that when they got that, they would find nothing. The regulators need to be regulated.

​

Absolutely, Tor. I love that. What can people in the audience do to help Roman Sterlingov or any of the other crypto prisoners? What can we do at this point?

​

Two things. One is make noise for the Free Samourai and Free Roman Storm movement, and make it clear to the White House that if we're going to be the crypto capital of the world, we can't have crypto political prisoners. Those two things don't work together.

​

The other is, please call your congressperson or senator and advocate for passage of the CLARITY Act, specifically with the developer protections from the Blockchain Regulatory Certainty Act. It seems like it's 50-50 whether the CLARITY Act is going to pass, and there is a real danger that there will be a deal where they cut out the developer protections in order to basically legalize ICOs, which is what a lot of the money behind that law is meant to do. That would be a horrible trade.

​

Calling is much better than writing. When you call your senator's office, staffers actually keep track of how many people call about an issue. If you can take the time to pick up the phone and say this is an issue you care about, that really does go a long way.

​

Just make a bunch of noise about it. Talk to everybody. Google Free Samourai. The website will come up. FreeRoman.org. Free all the Romans. Just keep talking about it. All politics is local. It doesn't matter where it is: at the dinner table, at the bar, wherever. Raise awareness of it, because all these people are innocent and they should be free.

​

Thank you, everyone.